Editor's Note:
This is the fifth in a series of guidance notes on what the "Schrems II" decision means for companies that rely on EU-U.S. Privacy Shield, controller-to-processor standard contractual clauses, SCCs for transfers to controllers, derogations/exceptions to transfer restrictions, and binding corporate rules, as well as what "Schrems II" means for Brexit and what companies can expect with the road ahead on these issues.
Binding corporate rules are considered the “gold standard” for international data transfers, primarily as they constitute the only data transfer mechanism that carries individual regulatory approval. As all concerned supervisory authorities have participated in the review and approval process, it seems unlikely that a supervisory authority would initiate an enforcement action against a data transfer that takes place on this basis.
BCRs are also not in the scope of the "Schrems II" decision, and the Court of Justice of the European Union has not in any way touched upon the validity of existing BCRs. That said, BCRs are essentially another "adequacy instrument," just like the standard contractual clauses and EU-U.S. Privacy Shield. In other words, when approving BCRs, the supervisory authorities must have been convinced that the group companies, including those in the U.S. and the U.K., were required and able to comply with the contractual safeguards of the BCR arrangement. However, in the aftermath of the “Schrems II” decision, it is likely that, if individual SCC-based transfers would be considered noncompliant on grounds related to U.S. government surveillance, the same would apply to BCR-based transfers to the U.S.
In practice, the main difference is that the burden on assessing the adequacy of the safeguards rests with the supervisory authorities if a company uses BCRs, while the user of SCCs must, according to the CJEU, make its own adequacy assessment and is accountable if wrong.
Will this decision impact BCRs' approval trajectories that are planned or already in the pipeline?
This is a question we have heard from many organizations, and it is a difficult one to answer. First, it is clear that the "Schrems II" decision will drive more organizations to file for BCR approval, especially those who have group companies in the U.S. that process the customer's data as a sub-processor. Many technology suppliers contract with EU corporate customers through their EU subsidiaries based on a "local-to-local" processing agreement. Since there are still no processor-to-sub-processor SCCs and uncertainty remains whether the controller-to-processor SCCs can be used for transfers from an EU processor to a sub-processor in a third country, the only safe way to deal with data transfer restrictions without having to create direct legal relationships between the EU customers and the supplier's U.S. affiliates is to use BCRs.
Clearly, there will be more demand for BCRs, and it is no secret that the supervisory authorities are already understaffed and overstretched. Their international transfer teams are already trying to cope with the flood of new BCR approval applications that is caused by Brexit. So getting new BCRs approved will definitely take more time than in the past.
A more fundamental yet "crystal ball" question is whether supervisory authorities will be prepared to give their blessings to pending BCR applications of organizations that have affiliates in the U.S., as well as the U.K. and other countries with surveillance laws. Neither the European Data Protection Board nor an individual supervisory authority will probably be very keen to be the first to decide what measures need to be put in place by an individual company to ensure "adequate protection" of personal data transferred to the applicant's group companies in the U.S. However, they may not want to hold off on all BCR applications until the courts have provided clarity.
Legal certainty with BCRs?
Obtaining much-needed clarity from the courts may take a long time. If the supervisory authority rejects a BCR application, the applicant would have to appeal that decision through the national courts. A reference for a preliminary ruling to the CJEU would be possible but limited to questions of the interpretation of EU law (e.g., what level of adequacy is needed?). The ultimate determination will, therefore, likely be left to national courts.
Another option would be for the supervisory authorities to conditionally approve BCRs and decide that the approval decision will be revised if and when the CJEU or a national court decides on an individual transfer and/or provides that the BCR may need to be updated to incorporate any additional measures that the supervisory authority or EDPB establishes in the future.
The easiest way out for supervisory authorities would be to approve BCRs with the caveat that any individual transfer would be subject to adequacy requirements that have to be assessed by the users of the BCRs and/or the BCR lead post-approval on an individual basis, i.e. per data flow. By passing the bucket in such a manner, the supervisory authorities would, of course, rob the BCRs of their primary value of legal certainty.
Does the 'Schrems II' decision jeopardize existing BCRs?
BCRs are certainly not going to be invalidated for the simple reason that they are a direct feature of the EU General Data Protection Regulation instead of being based on a decision of the European Commission, such as the Privacy Shield and SCCs. However, the vast majority of all BCRs approved prior to the GDPR entered into force May, 25 2018, will eventually need to be revised. The supervisory authorities and EDPB will then face the same issue as with new applications: renewal of existing BCRs of organizations with group companies in the U.S. will, by implication, mean that the supervisory authorities are satisfied that the safeguards are adequate.
In any case, a supervisory authority could take the position with existing BCRs, that a case-by-case assessment is necessary despite the approved status.
Conclusion
BCRs are here to stay and will most likely gain popularity. At the same time, they do pose a challenge to supervisory authorities: If the EDPB approves BCRs without any caveats, this will mean, by implication, that the contractual safeguards set forth therein are fit for all third countries in scope.
They will hopefully be the catalyst that drives the EDPB to take an official position on whether "additional measures" are required by organizations that transfer personal data to their group companies in the U.S. Passing the bucket by approving BCRs with the caveat that individual transfers have to be assessed case-by-case would render BCRs devoid of what makes them popular in the first place — legal certainty.
Photo by Samson on Unsplash